German court finds fault with Facebook’s default privacy settings

A court in Germany has ruled that Facebook’s default privacy settings and some of its terms and conditions breached local laws. The Berlin court passed judgement late last month but the verdict was only made public this week.

The legal challenge, which dates back to 2015, was filed by a local consumer rights association, the vzbv. It successfully argued Facebook’s default privacy settings breach local consent rules by not providing clear enough information for the company to gather ‘informed consent’ from users when they agreed to its T&Cs.

“Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about this when users register,” said Heiko Dünkel, litigation policy officer at vzbv, in a statement. “This does not meet the requirement for informed consent.”

Pre-formulated declarations of consent are clearly on borrowed time in the European Union, as the bloc will shortly have an updated data protection framework — GDPR — which strengthens and clarifies the rules around obtaining consent to process personal data.

And pre-ticked consent boxes buried at the end of lengthy, opaque and vague T&Cs will not pass muster under the new standard. So the regional court’s finding on that aligns with wider incoming personal data processing consent standards that will be enforced across the entire EU from this May.

The vzbv also successfully challenged Facebook’s real names policy — which the Berlin regional court agreed was unlawful. This was partly down to local laws, with the German Telemedia Act requiring providers of online services to allow users to use services anonymously.

But also again on consent grounds; vzbv said the court took the view that Facebook’s requirement for users to use their real names was a covert way of obtaining their consent to the use of this data — which it asserts was “reason enough” to rule it unlawful.

The group also sought to argue that Facebook’s claim that its service is ‘free and always will be’ is misleading, on the grounds that consumers are ‘paying’ with their data.

However the court dismissed that argument.

It also rejected several other claims against provisions in Facebook’s privacy policy — which vzbv said it intends to appeal in the Berlin Appeals Court. Though it says a majority of its claims against Facebook were upheld.

Facebook confirmed that it will also appeal against the portions of the ruling where vzbv did prevail. It also made the point that its approach to privacy has changed — and will change further — since the case was originally filed.

In a statement, a company spokesperson told us:

We are reviewing this recent decision carefully and are pleased that the court agreed with us on a number of issues. Our products and policies have changed a lot since this case was brought, and further changes to our terms and Data Policy are anticipated later this year in light of upcoming changes to the law. We work hard to ensure that our policies are clear and easy to understand, and that all aspects of the Facebook Service are in compliance with applicable law.

The GDPR, which gives EU data protection agencies powers to fine companies up to 4% of the annual global turnover, will apply across the bloc from May 25.

According to Dünkel, a ruling from the Berlin Appeals Court could take a further one to three years. So GDPR will certainly be in force by the time there’s another decision in this legal saga.

“Since core principles of the old data protection regime are by and large enshrined in Art 5 -11 GDPR as well, we will most certainly check on these things after the GDPR coming into force,” Dünkel added.